Blog

Weekly Threat Briefing: New Banking Trojan Infects Victims via McDonald's Malvertising

The intelligence in this week’s iteration discuss the following threats: Backdoors, Cryptocurrency, Data breaches, Malware, and Trojans. The IOCs related to these stories are attached to the Community Threat Briefing and can be used to check your logs for potential malicious activity.

Anomali Threat Research
November 26, 2019
Table of contents
<div id="weekly"><p id="intro">The intelligence in this week’s iteration discuss the following threats: <strong>Backdoors, Cryptocurrency, Data breaches, Malware, </strong>and<strong> Trojans</strong>. The IOCs related to these stories are attached to the Community Threat Briefing and can be used to check your logs for potential malicious activity.</p><p><img src="https://anomali-labs-public.s3.amazonaws.com/526317.png"/><br/> <b>Figure 1: IOC Summary Charts.  These charts summarize the IOCs attached to this magazine and provide a glimpse of the threats discussed.</b></p><div id="trending-threats"><h1 id="trendingthreats">Trending Threats</h1><p><a href="https://www.bankinfosecurity.com/compromised-website-led-to-aussie-parliament-hack-a-13412" target="_blank"><b>Compromised Website Led to Australia Parliament Hack</b></a> (<i>November 18, 2019</i>)<br/> The Australian Parliament was infected by a watering-hole attack when politicians browsed a legitimate website that had been already compromised. The attack was discovered in January and the Australian government has stated that the intrusion resulted in a “small amount of non-sensitive data” being breached. The investigation was conducted by the Australian Signals Directorate.<br/> <a href="https://forum.anomali.com/t/compromised-website-led-to-australia-parliament-hack/4391" target="_blank">Click here for Anomali recommendation</a><br/> <b>MITRE ATT&amp;CK: </b> <a href="https://ui.threatstream.com/ttp/947209">[MITRE ATT&amp;CK] Third-party Software - T1072</a> | <a href="https://ui.threatstream.com/ttp/1259983">[MITRE PRE-ATT&amp;CK] Identify sensitive personnel information (PRE-T1051)</a> | <a href="https://ui.threatstream.com/ttp/947138">[MITRE ATT&amp;CK] Exploit Public-Facing Application - T1190</a></p><p><a href="https://www.bleepingcomputer.com/news/security/new-banking-trojan-infects-victims-via-mcdonald-s-malvertising/" target="_blank"><b>New Banking Trojan Infects Victims via McDonald’s Malvertising</b></a> (<i>November 20, 2019</i>)<br/> A new banking trojan called “Mispadu” has been seen using McDonald’s coupon lures in Latin America. The trojan has been developed to target Brazilian and Mexican victims, with unique variants for each country. The lures have been sent through email and Facebook adverts. Once a victim has been infected they are served fake pop up advertisements attempting to persuade them into revealing personal information. The trojan also steals device information, system information and scrapes credentials from browsers and input forms. This is similar to Casbaneiro and Amavaldo Trojans.<br/> <a href="https://forum.anomali.com/t/new-banking-trojan-infects-victims-via-mcdonald-s-malvertising/4392" target="_blank">Click here for Anomali recommendation</a><br/> <b>MITRE ATT&amp;CK: </b> <a href="https://ui.threatstream.com/ttp/947209">[MITRE ATT&amp;CK] Third-party Software - T1072</a></p><p><a href="https://www.cyberscoop.com/thomas-osadzinski-isis-propaganda-fbi/" target="_blank"><b>20-year-old Chicago man charged with writing code to spread ISIS propaganda</b></a> (<i>November 19, 2019</i>)<br/> Thomas Osadzinski has been arrested by U.S. authorities for attempting to provide material support to a terrorist organisation. Undercover FBI agents were told by Thomas Osandzinski that he was creating a custom Gentoo Linux system that was solely to be used by ISIS members. Osandzinski is 20 years old and is a student at DePaul University. The code Osandzinski was developing would have been used to help spread propaganda for the terrorist group ISIS.<br/> <a href="https://forum.anomali.com/t/20-year-old-chicago-man-charged-with-writing-code-to-spread-isis-propaganda/4393" target="_blank">Click here for Anomali recommendation</a><br/> <b>MITRE ATT&amp;CK: </b> <a href="https://ui.threatstream.com/ttp/947138">[MITRE ATT&amp;CK] Exploit Public-Facing Application - T1190</a></p><p><a href="https://www.vice.com/en_us/article/vb5agy/phineas-fisher-offers-dollar100000-bounty-for-hacks-against-banks-and-oil-companies" target="_blank"><b>Phineas Fisher Offers $100,000 Bounty to Hack Banks and Oil Companies</b></a> (<i>November 17, 2019</i>)<br/> Phineas Fisher has released a manifesto which provides details on their previous hacks as well as offering to pay hackers up to $100,000 if they can hack organisations in a Hacktivist Bug Hunting Program. The organisations that Phineas is keen for hackers to leak from are; mining, logging and livestock companies, Baykar Makina, Havelsan, surveillance companies such as the NSO group, Blackwater and Halliburton, GeoGroup, CoreCivic / CCA, and corporate lobbyists such as ALEC.<br/> <a href="https://forum.anomali.com/t/phineas-fisher-offers-100-000-bounty-to-hack-banks-and-oil-companies/4394" target="_blank">Click here for Anomali recommendation</a><br/> <b>MITRE ATT&amp;CK: </b> <a href="https://ui.threatstream.com/ttp/947125">[MITRE ATT&amp;CK] System Information Discovery - T1082</a></p><p><a href="https://www.cybereason.com/blog/phoenix-the-tale-of-the-resurrected-alpha-keylogger" target="_blank"><b>Phoenix: The Tale Of The Resurrected Keylogger</b></a> (<i>November 20, 2019</i>)<br/> A new keylogger called “Phoenix” is being tracked by the Cybereason’s Nocturnus team and is becoming popular among cybercriminals. The keylogger has a range of information stealing capabilities. Phoenix keylogger is offered as Malware-as-a-Service. It has the ability to steal passwords, capture input, exfiltrate data and has anti-VM capabilities. It can kill processes in over 80 different security products and steal information from 20 different browsers. It can exfiltrate data through the Telegram messaging App and has the same author as Alpha keylogger, according to the research.<br/> <a href="https://forum.anomali.com/t/phoenix-the-tale-of-the-resurrected-keylogger/4395" target="_blank">Click here for Anomali recommendation</a><br/> <b>MITRE ATT&amp;CK: </b> <a href="https://ui.threatstream.com/ttp/947243">[MITRE ATT&amp;CK] Input Capture - T1056</a> | <a href="https://ui.threatstream.com/ttp/947125">[MITRE ATT&amp;CK] System Information Discovery - T1082</a></p><p><a href="https://www.helpnetsecurity.com/2019/11/20/confidential-medical-images/" target="_blank"><b>1.19 billion confidential medical images available on the internet</b></a> (<i>November 20, 2019</i>)<br/> Greenbone Network research into the security of Picture Archiving and Communication Systems (PACS) servers used by health providers has revealed data records accessible online is increasing. The researchers found 1.19 billion confidential medical images were currently accessible, some containing Military personnel numbers, social security numbers, names and date of birth.<br/> <a href="https://forum.anomali.com/t/1-19-billion-confidential-medical-images-available-on-the-internet/4396" target="_blank">Click here for Anomali recommendation</a><br/> <b>MITRE ATT&amp;CK: </b> <a href="https://ui.threatstream.com/ttp/1259983">[MITRE PRE-ATT&amp;CK] Identify sensitive personnel information (PRE-T1051)</a></p><p><a href="https://thehackernews.com/2019/11/hacking-monero-cryptocurrency.html" target="_blank"><b>Official Monero Site Hacked to Distribute Cryptocurrency Stealing Malware</b></a> (<i>November 20, 2019</i>)<br/> The Monero cryptocurrency project website was compromised by an attacker who replaced the clean Linux and Windows downloads with malicious versions designed to steal from victims digital wallets. According to researchers from BartBlaze, the binaries were injected with some new functions that would send the victims “wallet seed” (a secret key) to the attackers. The seed allows users to restore access to the wallet, providing the attackers with the ability to steal any cryptocurrency the victim had stored. The issue was discovered on Monday when a user noticed the binary hashes for the downloads were not the same as the ones listed on the site. The Monero team confirmed on Wednesday 20 November that they had been compromised. The identity of the attackers are still unknown.<br/> <a href="https://forum.anomali.com/t/official-monero-site-hacked-to-distribute-cryptocurrency-stealing-malware/4397" target="_blank">Click here for Anomali recommendation</a><br/> <b>MITRE ATT&amp;CK: </b> <a href="https://ui.threatstream.com/ttp/2336968">[MITRE ATT&amp;CK] File Permissions Modification - T1222</a></p><p><a href="https://blog.trendmicro.com/trendlabs-security-intelligence/mac-backdoor-linked-to-lazarus-targets-korean-users/" target="_blank"><b>Mac Backdoor Linked to Lazarus Targets Korean Users</b></a> (<i>November 20, 2019</i>)<br/> A new backdoor has been detected by Trend Micro researchers, found targeting Mac operating systems and linked to North Korean “Lazarus” group. The researchers first analysed a malicious Macro-embedded Excel document posted on Twitter by user “cyberwar_15”. They found that the macro in the sample runs a PowerShell script that connects to three command-and-control (C&amp;C) servers. An in-the-wild app suspected to be from the same campaign, was discovered by the researchers as it connects to the same C&amp;C servers. This App contains two Flash Player files, one of which is malicious in a hidden Mach-O file. The infected FlashPlayer file runs a decoy video with the legitimate instance, whilst it creates a hidden file at ~/.FlashUpdateCheck. This hidden file is the backdoor and connects to the C&amp;C servers.<br/> <a href="https://forum.anomali.com/t/mac-backdoor-linked-to-lazarus-targets-korean-users/4398" target="_blank">Click here for Anomali recommendation</a><br/> <b>MITRE ATT&amp;CK: </b> <a href="https://ui.threatstream.com/ttp/947268">[MITRE ATT&amp;CK] Hidden Files and Directories - T1158</a> | <a href="https://ui.threatstream.com/ttp/947243">[MITRE ATT&amp;CK] Input Capture - T1056</a></p><p><a href="https://www.cyberscoop.com/un-resolution-internet-cybercrime-global-norms/" target="_blank"><b>The U.N. passed a resolution that gives Russia greater influence over internet norms</b></a> (<i>November 18, 2019</i>)<br/> A new U.N. resolution has been passed that seeks to establish a group to investigate and prevent cyber crime. The resolution was passed with the support of Russia, and at the criticism of the United States who does not approve and is “disappointed” in the sponsors of the resolution. According to CyberScoop this is “the latest Russian effort at the U.N. level to influence global behavior norms in cyberspace”.<br/> <a href="https://forum.anomali.com/t/the-u-n-passed-a-resolution-that-gives-russia-greater-influence-over-internet-norms/4399" target="_blank">Click here for Anomali recommendation</a></p><p><a href="https://www.bankinfosecurity.com/new-javascript-skimmer-found-on-ecommerce-sites-a-13411" target="_blank"><b>New JavaScript Skimmer Found on E-Commerce Sites</b></a> (<i>November 15, 2019</i>)<br/> Researchers at VISA have uncovered a new JavaScript Skimmer found on e-commerce sites. The new skimmer has been labelled “Pipka”. Pipka is designed to steal payment information. The JavaScript skimmer has been detected on at least 27 e-commerce sites. The skimmer attempts to steal card numbers, expiration date, card verification value (CVV) number and name and address of the victim. VISA researchers have not attributed the skimmer to any particular criminal group.<br/> <a href="https://forum.anomali.com/t/new-javascript-skimmer-found-on-e-commerce-sites/4400" target="_blank">Click here for Anomali recommendation</a><br/> <b>MITRE ATT&amp;CK: </b> <a href="https://ui.threatstream.com/ttp/947209">[MITRE ATT&amp;CK] Third-party Software - T1072</a> | <a href="https://ui.threatstream.com/ttp/947137">[MITRE ATT&amp;CK] Supply Chain Compromise - T1195</a></p></div></div>
Anomali Threat Research

Anomali's Threat Research team continually tracks security threats to identify when new, highly critical security threats emerge. The Anomali Threat Research team's briefings discuss current threats and risks like botnets, data breaches, misconfigurations, ransomware, threat groups, and various vulnerabilities. The team also creates free and premium threat intelligence feeds for Anomali's industry-leading Threat Intelligence Platform, ThreatStream.

Propel your mission with amplified visibility, analytics, and AI.

Learn how Anomali can help you cost-effectively improve your security posture.

November 26, 2019
-
Anomali Threat Research
,

Weekly Threat Briefing: New Banking Trojan Infects Victims via McDonald's Malvertising

<div id="weekly"><p id="intro">The intelligence in this week’s iteration discuss the following threats: <strong>Backdoors, Cryptocurrency, Data breaches, Malware, </strong>and<strong> Trojans</strong>. The IOCs related to these stories are attached to the Community Threat Briefing and can be used to check your logs for potential malicious activity.</p><p><img src="https://anomali-labs-public.s3.amazonaws.com/526317.png"/><br/> <b>Figure 1: IOC Summary Charts.  These charts summarize the IOCs attached to this magazine and provide a glimpse of the threats discussed.</b></p><div id="trending-threats"><h1 id="trendingthreats">Trending Threats</h1><p><a href="https://www.bankinfosecurity.com/compromised-website-led-to-aussie-parliament-hack-a-13412" target="_blank"><b>Compromised Website Led to Australia Parliament Hack</b></a> (<i>November 18, 2019</i>)<br/> The Australian Parliament was infected by a watering-hole attack when politicians browsed a legitimate website that had been already compromised. The attack was discovered in January and the Australian government has stated that the intrusion resulted in a “small amount of non-sensitive data” being breached. The investigation was conducted by the Australian Signals Directorate.<br/> <a href="https://forum.anomali.com/t/compromised-website-led-to-australia-parliament-hack/4391" target="_blank">Click here for Anomali recommendation</a><br/> <b>MITRE ATT&amp;CK: </b> <a href="https://ui.threatstream.com/ttp/947209">[MITRE ATT&amp;CK] Third-party Software - T1072</a> | <a href="https://ui.threatstream.com/ttp/1259983">[MITRE PRE-ATT&amp;CK] Identify sensitive personnel information (PRE-T1051)</a> | <a href="https://ui.threatstream.com/ttp/947138">[MITRE ATT&amp;CK] Exploit Public-Facing Application - T1190</a></p><p><a href="https://www.bleepingcomputer.com/news/security/new-banking-trojan-infects-victims-via-mcdonald-s-malvertising/" target="_blank"><b>New Banking Trojan Infects Victims via McDonald’s Malvertising</b></a> (<i>November 20, 2019</i>)<br/> A new banking trojan called “Mispadu” has been seen using McDonald’s coupon lures in Latin America. The trojan has been developed to target Brazilian and Mexican victims, with unique variants for each country. The lures have been sent through email and Facebook adverts. Once a victim has been infected they are served fake pop up advertisements attempting to persuade them into revealing personal information. The trojan also steals device information, system information and scrapes credentials from browsers and input forms. This is similar to Casbaneiro and Amavaldo Trojans.<br/> <a href="https://forum.anomali.com/t/new-banking-trojan-infects-victims-via-mcdonald-s-malvertising/4392" target="_blank">Click here for Anomali recommendation</a><br/> <b>MITRE ATT&amp;CK: </b> <a href="https://ui.threatstream.com/ttp/947209">[MITRE ATT&amp;CK] Third-party Software - T1072</a></p><p><a href="https://www.cyberscoop.com/thomas-osadzinski-isis-propaganda-fbi/" target="_blank"><b>20-year-old Chicago man charged with writing code to spread ISIS propaganda</b></a> (<i>November 19, 2019</i>)<br/> Thomas Osadzinski has been arrested by U.S. authorities for attempting to provide material support to a terrorist organisation. Undercover FBI agents were told by Thomas Osandzinski that he was creating a custom Gentoo Linux system that was solely to be used by ISIS members. Osandzinski is 20 years old and is a student at DePaul University. The code Osandzinski was developing would have been used to help spread propaganda for the terrorist group ISIS.<br/> <a href="https://forum.anomali.com/t/20-year-old-chicago-man-charged-with-writing-code-to-spread-isis-propaganda/4393" target="_blank">Click here for Anomali recommendation</a><br/> <b>MITRE ATT&amp;CK: </b> <a href="https://ui.threatstream.com/ttp/947138">[MITRE ATT&amp;CK] Exploit Public-Facing Application - T1190</a></p><p><a href="https://www.vice.com/en_us/article/vb5agy/phineas-fisher-offers-dollar100000-bounty-for-hacks-against-banks-and-oil-companies" target="_blank"><b>Phineas Fisher Offers $100,000 Bounty to Hack Banks and Oil Companies</b></a> (<i>November 17, 2019</i>)<br/> Phineas Fisher has released a manifesto which provides details on their previous hacks as well as offering to pay hackers up to $100,000 if they can hack organisations in a Hacktivist Bug Hunting Program. The organisations that Phineas is keen for hackers to leak from are; mining, logging and livestock companies, Baykar Makina, Havelsan, surveillance companies such as the NSO group, Blackwater and Halliburton, GeoGroup, CoreCivic / CCA, and corporate lobbyists such as ALEC.<br/> <a href="https://forum.anomali.com/t/phineas-fisher-offers-100-000-bounty-to-hack-banks-and-oil-companies/4394" target="_blank">Click here for Anomali recommendation</a><br/> <b>MITRE ATT&amp;CK: </b> <a href="https://ui.threatstream.com/ttp/947125">[MITRE ATT&amp;CK] System Information Discovery - T1082</a></p><p><a href="https://www.cybereason.com/blog/phoenix-the-tale-of-the-resurrected-alpha-keylogger" target="_blank"><b>Phoenix: The Tale Of The Resurrected Keylogger</b></a> (<i>November 20, 2019</i>)<br/> A new keylogger called “Phoenix” is being tracked by the Cybereason’s Nocturnus team and is becoming popular among cybercriminals. The keylogger has a range of information stealing capabilities. Phoenix keylogger is offered as Malware-as-a-Service. It has the ability to steal passwords, capture input, exfiltrate data and has anti-VM capabilities. It can kill processes in over 80 different security products and steal information from 20 different browsers. It can exfiltrate data through the Telegram messaging App and has the same author as Alpha keylogger, according to the research.<br/> <a href="https://forum.anomali.com/t/phoenix-the-tale-of-the-resurrected-keylogger/4395" target="_blank">Click here for Anomali recommendation</a><br/> <b>MITRE ATT&amp;CK: </b> <a href="https://ui.threatstream.com/ttp/947243">[MITRE ATT&amp;CK] Input Capture - T1056</a> | <a href="https://ui.threatstream.com/ttp/947125">[MITRE ATT&amp;CK] System Information Discovery - T1082</a></p><p><a href="https://www.helpnetsecurity.com/2019/11/20/confidential-medical-images/" target="_blank"><b>1.19 billion confidential medical images available on the internet</b></a> (<i>November 20, 2019</i>)<br/> Greenbone Network research into the security of Picture Archiving and Communication Systems (PACS) servers used by health providers has revealed data records accessible online is increasing. The researchers found 1.19 billion confidential medical images were currently accessible, some containing Military personnel numbers, social security numbers, names and date of birth.<br/> <a href="https://forum.anomali.com/t/1-19-billion-confidential-medical-images-available-on-the-internet/4396" target="_blank">Click here for Anomali recommendation</a><br/> <b>MITRE ATT&amp;CK: </b> <a href="https://ui.threatstream.com/ttp/1259983">[MITRE PRE-ATT&amp;CK] Identify sensitive personnel information (PRE-T1051)</a></p><p><a href="https://thehackernews.com/2019/11/hacking-monero-cryptocurrency.html" target="_blank"><b>Official Monero Site Hacked to Distribute Cryptocurrency Stealing Malware</b></a> (<i>November 20, 2019</i>)<br/> The Monero cryptocurrency project website was compromised by an attacker who replaced the clean Linux and Windows downloads with malicious versions designed to steal from victims digital wallets. According to researchers from BartBlaze, the binaries were injected with some new functions that would send the victims “wallet seed” (a secret key) to the attackers. The seed allows users to restore access to the wallet, providing the attackers with the ability to steal any cryptocurrency the victim had stored. The issue was discovered on Monday when a user noticed the binary hashes for the downloads were not the same as the ones listed on the site. The Monero team confirmed on Wednesday 20 November that they had been compromised. The identity of the attackers are still unknown.<br/> <a href="https://forum.anomali.com/t/official-monero-site-hacked-to-distribute-cryptocurrency-stealing-malware/4397" target="_blank">Click here for Anomali recommendation</a><br/> <b>MITRE ATT&amp;CK: </b> <a href="https://ui.threatstream.com/ttp/2336968">[MITRE ATT&amp;CK] File Permissions Modification - T1222</a></p><p><a href="https://blog.trendmicro.com/trendlabs-security-intelligence/mac-backdoor-linked-to-lazarus-targets-korean-users/" target="_blank"><b>Mac Backdoor Linked to Lazarus Targets Korean Users</b></a> (<i>November 20, 2019</i>)<br/> A new backdoor has been detected by Trend Micro researchers, found targeting Mac operating systems and linked to North Korean “Lazarus” group. The researchers first analysed a malicious Macro-embedded Excel document posted on Twitter by user “cyberwar_15”. They found that the macro in the sample runs a PowerShell script that connects to three command-and-control (C&amp;C) servers. An in-the-wild app suspected to be from the same campaign, was discovered by the researchers as it connects to the same C&amp;C servers. This App contains two Flash Player files, one of which is malicious in a hidden Mach-O file. The infected FlashPlayer file runs a decoy video with the legitimate instance, whilst it creates a hidden file at ~/.FlashUpdateCheck. This hidden file is the backdoor and connects to the C&amp;C servers.<br/> <a href="https://forum.anomali.com/t/mac-backdoor-linked-to-lazarus-targets-korean-users/4398" target="_blank">Click here for Anomali recommendation</a><br/> <b>MITRE ATT&amp;CK: </b> <a href="https://ui.threatstream.com/ttp/947268">[MITRE ATT&amp;CK] Hidden Files and Directories - T1158</a> | <a href="https://ui.threatstream.com/ttp/947243">[MITRE ATT&amp;CK] Input Capture - T1056</a></p><p><a href="https://www.cyberscoop.com/un-resolution-internet-cybercrime-global-norms/" target="_blank"><b>The U.N. passed a resolution that gives Russia greater influence over internet norms</b></a> (<i>November 18, 2019</i>)<br/> A new U.N. resolution has been passed that seeks to establish a group to investigate and prevent cyber crime. The resolution was passed with the support of Russia, and at the criticism of the United States who does not approve and is “disappointed” in the sponsors of the resolution. According to CyberScoop this is “the latest Russian effort at the U.N. level to influence global behavior norms in cyberspace”.<br/> <a href="https://forum.anomali.com/t/the-u-n-passed-a-resolution-that-gives-russia-greater-influence-over-internet-norms/4399" target="_blank">Click here for Anomali recommendation</a></p><p><a href="https://www.bankinfosecurity.com/new-javascript-skimmer-found-on-ecommerce-sites-a-13411" target="_blank"><b>New JavaScript Skimmer Found on E-Commerce Sites</b></a> (<i>November 15, 2019</i>)<br/> Researchers at VISA have uncovered a new JavaScript Skimmer found on e-commerce sites. The new skimmer has been labelled “Pipka”. Pipka is designed to steal payment information. The JavaScript skimmer has been detected on at least 27 e-commerce sites. The skimmer attempts to steal card numbers, expiration date, card verification value (CVV) number and name and address of the victim. VISA researchers have not attributed the skimmer to any particular criminal group.<br/> <a href="https://forum.anomali.com/t/new-javascript-skimmer-found-on-e-commerce-sites/4400" target="_blank">Click here for Anomali recommendation</a><br/> <b>MITRE ATT&amp;CK: </b> <a href="https://ui.threatstream.com/ttp/947209">[MITRE ATT&amp;CK] Third-party Software - T1072</a> | <a href="https://ui.threatstream.com/ttp/947137">[MITRE ATT&amp;CK] Supply Chain Compromise - T1195</a></p></div></div>

Get the Latest Anomali Updates and Cybersecurity News – Straight To Your Inbox

Become a subscriber to the Anomali Newsletter
Receive a monthly summary of our latest threat intelligence content, research, news, events, and more.